What Edward Snowden Said At The Nordic Media Festival

On May 8, Edward Snowden spoke to the audience at the Nordic Media Festival in Bergen, Norway about surveillance and digital security. The session was moderated by journalist Ole Torp, who started by asking me how Snowden and I first met. What follows is a lightly edited transcript of my interview with Snowden. All of the questions were submitted by Norwegian journalists in the days leading up to the session. You can find a video recording of the session here.

Runa Sandvik

Ed and I first met about six months before the leaks came out where we organized a CryptoParty in Hawaii. A CryptoParty is a type of event where people can come and learn about encryption, about security, about how to protect themselves online.

Edward Snowden

It was really an amazing experience when we look at it in hindsight. This was before anyone knew who I was. Runa was associated with The Tor Project, which works to help protect people's anonymity online. I, at the time, was working for the NSA through a contractor, and sort of moonlighting also helping people protect their privacy, something the NSA might not have been too happy about. But the extraordinary thing about this, that we can draw as a lesson from it, is that these word of mouth efforts to teach people how to improve their security actually work. Because the same kind of methods that I used to teach people, ordinary citizens have used to protect themselves online. These methods also protected me against one of the largest manhunts in recent history.

The first document that was published by The Guardian in June almost two years ago revealed that the NSA was collecting phone records of millions of Verizon customers daily. Shortly after this document was published, the American Civil Liberties Union (ACLU) filed a lawsuit. On May 7, we learned that the Second Circuit Court of Appeals held that the statue the government is relying on to justify this--Section 215 of the Patriot Act--does not permit the gathering of this information and that the surveillance program is unlawful. What was your reaction when you first heard about this?

Edward Snowden

This is significant and the importance of it in the United States' legal and policy communities really can't be overstated. When we look at the actual ruling and what it held, it was that the program, which had originally started as warrantless wiretapping under President George Bush in the 9/11-era, had never been lawful to begin with, and yet they did it anyway. What's extraordinary about this is the fact that in 2013, prior to the leaks, Amnesty International brought the same challenge against the same individuals, and they thew it out of court saying the organization could not prove it had been spied on. Because of this, whether or not the programs were lawful, whether or not they were a violation of rights, they would not allow them in the court room.

The first story that was published by Glenn Greenwald and the other journalists working on this showed that there was a secret court order, from a secret court, that basically said you can monitor the phone calls, intercept the call detail records, collect all the metadata. Metadata being analogous to the kind of information the Private Eye would collect if they were following you around. Not necessarily a record of every single word that you said in conversation with someone else, because you might notice them, but they know where you traveled, who you had met with, where the meeting took place, what time it occurred, how long it went on for, so on and so forth. That is metadata in the phone context. It's not what you say on the call, it's who you're calling, how long, association records, basically who your friends are. But this secret program authorized that to occur, in secret, by a secret court, and it wasn't something where it authorized any particular targeting of any particular individual. Rather, it said they can collect the phone records of all 330 million Americans in the country without having any criminal suspicion, without having any reasonable suspicion even of wrongdoing of any kind. Rather, they would collect it all in advance of any criminal investigation or criminal act.

This being struck down is really a radical sea change in the level of resistance that the United States government has faced thus far. So far, courts have said "it's not our place, our role, to tell the Executive Branch of the government how to do their job." It is extraordinarily encouraging to see the courts are beginning to change their thinking to say "if Congress will not pass reasonable laws, if the executive will not act as a responsible steward of liberty and rights in how they execute the laws, it falls to the courts to say this has gone too far." No fair reading of the law would authorize this, even if that had occurred it is not reasonable to expect the public to have known that this was the law, and it must change. And that's really significant and I think that this decision will not affect only the phone metadata program, it will affect every other mass surveillance program in the United States going forward.

Runa Sandvik

We have read a lot about the Five Eyes, which is the intelligence alliance that includes Australia, Canada, New Zealand, the UK and the U.S. We have also heard that the GCHQ and the NSA work closely together, and even that, in some cases, the GCHQ can do things that the NSA can not and that NSA analysts are then allowed to sift through the data that the GCHQ has gathered. One thing that we haven't heard a lot about is what the relationship between the NSA and Scandinavian, or more specifically Norwegian, intelligence agencies is like?

Edward Snowden

I can't reveal new information, I leave that to the journalists. I made a specific decision in how I went about revealing information about these criminal activities and serious wrongdoing within the government, by recognizing that I had very strong political biases. If I simply revealed this unilaterally, it may not have been the best way to serve the public interest or mitigate any potential harms that could come about from this if I did not understand something or if there was some detail in there that could put someone at risk.

What I did was that I worked in partnership with the journalists who received the material. As a condition of receiving the material they agreed, prior to publication, to run these stories by the government. Not for the government to censor them, but for the government to be able to look at these and go "look, this isn't going to get anybody killed, this isn't going to put a human agent behind enemy lines at risk" or something like that. "This isn't going to make Al Qaeda be able to bomb buildings." And I think the value of this model has been proven to be quite effective. Because despite the fact that in 2013 the government was saying this was going to be the end of society, the atmosphere was going to ignite, and the seas were going to boil off, it was going to be an armageddon, here we are sitting in 2015. And despite the Director of the National Security Agency, Central Intelligence Agency, FBI, being asked to show damage as a result of these public revelations, they have never been able to show even a single case where it has cost harm to any particular individual or program.

With that caveat put out there, what I will say something about is the culture of modern intelligence, mass surveillance, and how these agencies interact with each other. The head of the Norwegian military intelligence service, I think, has already admitted that he shares information that has been collected by the Norwegian services with the NSA. They trade that back and forth with other countries, and this is very much the same that you see in the United States and other countries. Within the Five Eyes, it is much more liberal, much less controlled, because basically they simply put everything they collect in all their countries in a common bucket. And they sort through it and do whatever they want with it.

For other countries it's a little bit more like trading cards. I analogize it to a European bazaar. The Germans take what they have collected in Germany, and then they trade that with other countries. Same thing in the Netherlands, same thing in Norway or Sweden. But they all would argue that they are in full compliance with their laws. They would say "we do things in accordance with our policies, we've got restrictions, we can't target our citizens." But they are selling out every other citizen in the EU. They are selling out other countries in the EU, private companies, basic services, public services that everybody uses, as well as undermining the simple security that protects communications as they transit through Europe. The problem is that when every individual country is doing these same things, you end up with situations where the Danes say "we're not spying on the Danes," and the Germans say they are not spying on the Germans. But when Danish communications enter German borders, they are spied upon and shared. And when German communications enter Danish borders, they are spied upon and shared. So the net result is that we all end up in that state, we all end up more exposed.

When we look at the fundamentals of mass surveillance, even if we agree that this was good policy, which is very much in contention and has never been shown to be helpful, we would go "is the cost of liberty of these programs worth the benefit? Is there any sort of hypothetical benefit that we can gain from it?"

In the United States, because of the scale of the scandal and the aggressiveness of the press, the President of the United States was forced to appoint two independent panels from the White House; the Privacy and Civil Liberties Oversight Board and another one called the Review Group on Intelligence and Communications Technologies. They both had comprehensive access to classified information. There was nothing these intelligence agencies could hold back from them. They could interview everyone from the highest level to the lowest level in them, and they looked at these mass surveillance programs and they said "let's talk about efficiency, let's talk about metrics." Has, for example, the 215 program, Section 215 of the Patriot Act that was struck down as unlawful yesterday, but has still been continuing, "did that actually help stop an attack?" And this panel had every incentive to let the government off the hook and say "this is great, this is really helpful," because it was appointed and comprised of friends of the President and other members of the White House policy community. Former Deputy Director of the CIA, I believe, was among them.

What they said in fact was that not only had these programs never stopped a single terrorist attack despite operating for around ten years, they had never made a concrete difference even in a single terrorism investigation. There's really a lot of evidence that mass surveillance has no public safety benefit, but it does have a significant cost of liberty. Once we're looking at this reality, we need to be asking questions in somewhat of a different frame. Journalists need to realize for themselves that despite claims of "terrorism, terrorism" when these laws were being authorized, these programs are not about terrorism. These are not public safety programs. These are spying programs. Their value is in intelligence gathering, not in anti-terroism.

Runa Sandvik

A lot of the articles that we've read, and a lot of the documents that have been published, are specifically about the U.S. and U.S. citizens. How does this affect people outside the U.S.? How does this affect Norwegian citizens?

Edward Snowden

This is quite difficult for anyone who is outside of the United States, who is not a U.S. citizen. The PRISM program was one of the first ones that was revealed. All of the corporate identifiers that you see in this slide, the logos, are partners with the U.S. National Security Agency. They all trade information on the basis of some kind of compulsion. If you are a U.S. citizen, they can't get this information theoretically through the companies without providing a warrant. Now the sad thing is that warrant goes through the secret court, and that secret court is kind of a rubber stamp, they are not reliable. In 35 years, they have only said no 12 times. But if you are not a U.S. citizen, no warrant is required. The Attorney General of the United States signs a blanket warrant for entire classes of behavior. And if you are a foreign national and they consider you of interest because you match one of these classes of behaviors, they can demand your private details from any of these companies and you have no legal recourse, you are not alerted that it happened, you don't have any access to the courts. And if it is eventually used against you at trial, at least traditionally--this is beginning to change now--you would not even be told that this secret evidence was used in the development of your case.

RunaSandvik

You have previously said that NSA analysts, if given someone's email address, can look up that person's email. Is that the case even for Norwegian citizens? Can an NSA analyst for example look up the email of the Prime Minister of Norway?

Edward Snowden

This comes down to the technical structuring of how these programs of mass surveillance work. I worked with them personally, so I know this is factual. And it's actually never been contested in any sworn testimony. What we are talking about here is a system called XKeyscore. Think of it as a Google search for spies; all of the different intercept points around the world, all of the buckets that are being filled by mass surveillance, in all of these different countries; the United States, the UK, New Zealand, and so on. If your private communications as a Norwegian citizen pass through any of these countries, pass through any of these sensors, they fall in the buckets. I, as an analyst, sitting at my desk can search those buckets for anyone, technically. People will say there are policy restrictions, there is auditing and whatnot, but those really aren't reliable and we know that because the NSA now for some years, after the 2013 revelations occurred, say they have no idea what I had access to, what information was given to journalists, despite the fact that it's now in the newspapers.

The real danger here is not whistleblowers. It's not the idea that if someone could take classified information that indicates criminality and serious wrongdoing, and provide it to the press, that's not a threat to democracy. In fact, there are strong arguments that that is actually a strong defense of good government. But what happens when there are individuals at these agencies, whether it's authorized and this is an official operation happening within the course of their work, or they are doing this privately for their own agenda, their own intentions, for political purposes, begin searching for anyone? The bottom line here is, anything that crosses the Internet, that is not protected by encryption, reliable and robust encryption, that will defend against attacks by the most sophisticated adversaries, state level actors, groups like the National Security Agency, or the UK GCHQ, they fall in these buckets.

When the Prime Minister of Norway sends an email over the Internet and it's not sent through another secure system within the government, or it's a CEO of a European company, or it's a civil rights activist in Norway who is trying to protest drone strikes in the Middle East, or trying to campaign against torture, that's in these systems. And that's one search away from any analyst's fingertips. And there are really no good, reliable protections against abuse here. We know this is the case because we see this being discussed in Germany right now. The Germans had set up a system that allowed analysts of the National Security Agency, the British security agency and so on, to send searches against their systems as well. The idea here was that these searches would be screened by machine filters to drop out any search that might be contrary to the rules, but the problem is no human was looking at these searches in advance of what was happening and actually laying eyes on it and going "this is a legitimate target, this is a legitimate surveillance request, this is compliance with a court order, or this is someone going on a fishing expedition, or this is contrary to our domestic laws." That kind of auditing would only happen on the back-end, after searches would occur. It would happen on a random and partial basis, it wouldn't be comprehensive. In fact, in the Germany inquiry, just a few days ago, the people in charge of this in the German BND, the local domestic intelligence collection agency, they said that the records of what had been searched by the NSA had been accidentally deleted as soon as the Parliament began asking for it.

This is not a criticism of Germany specifically, this is not a criticism of the U.S. specifically, this is not about anti-Americanism. This is a global problem. This is happening in countries not just in advanced economies, liberal societies. This is happening in authoritarian countries. Deeply illiberal states. And the worse our policies are here, the fewer protections that we afford citizens, the more we embolden very dangerous actors in very dangerous regions to do things that are even worse. We have a moral obligation, a natural incentive, for the protection of our own liberties, to set a standard here that really pushes us forward and improves the protections of rights, not something that undermines them and provides all of these different methods of backdoor access. Not just to intelligence agencies, but to any abuse. Once you begin cataloging and collecting, the private records, data generated by people's private lives; where they go, who they talk to, what their cellphones are doing, their call records, their Internet transactions. This data becomes a target. And we've seen this from hacks and cyber security incidents over the last several years. If you create a database that is basically a collection of all the most deeply personal, valuable to adversaries, and incriminating details about everyone's private lives, they will be abused, they will be attacked and they will fall outside of our control. We should not be creating

weapons that can be used against us.

Runa Sandvik

We talked a bit about digital security tools earlier, and I wanted to come back to this in my final question. What can concerned citizens do, what can journalists do, to actually protect themselves online?

Edward Snowden

There is a CryptoParty movement, and you should be quite familiar with this, where people who have some understanding of the real technical capabilities here and the countermeasures, work within their communities to increase the sophistication of journalists, of ordinary citizens, everybody around them, to enable them to assert defenses against these. The problem today of mass surveillance is that most of our communications transit the Internet electronically naked, they are unencrypted. That means that whether you're ordering something online, whether you are sending an email, whether you are communicating with your friend via your cell phone, the telecommunications service providers who are sitting in the middle can intercept, in bulk, everything that is transiting those lines. They can be compelled by intelligence services and by law enforcement services, they can be compromised by criminal hackers and other adversaries.

When you use systems, one for example is Tor, an anonymizing routing network. It can be called a mix net because it protects everyone's communication by mixing them together and making it harder to see where they originated and what their ultimate destination is. When you begin doing this, or you use a Virtual Private Network, a VPN provider or something like that, you armor your communications as they pass through those interception points, as they pass through those telecommunications providers. And you make it much more difficult to intercept not just your communications, because you may not have anything, in your private life, that could put you in prison. You may not be a journalist working with sensitive sources, but when you adopt the same methods of communication that are used by journalists, that are used by activists in very vulnerable positions, or basically working against authoritarian regimes, what you're doing is creating a method, a reliable method of herd immunity even if you aren't trying to protect your communications, you can protect other people's communications by proxy. You are helping them get lost in the noise.

The way to think about this is a lot of people say, particularly in Scandinavian countries, they go; "I trust my government, I don't think that they are doing anything wrong," which is actually a little bit generous here. But if you do believe that, and that's fair, because governments aren't villains, governments aren't these evil, terrible opponents... Generally these are good people trying to do good things. The problem is the culture in the intelligence communities where good people can do bad things for good reasons. When the ends justifies the means, when we adopt utilitarian methods of operating, these can have deeply corrosive impacts, not just on the operations of our government, but the outcomes of those operations for our society. The thing you want to think about here is, it's not about if you're doing anything wrong, it's not about if your government is doing something wrong, we have a fundamental human right to privacy. The monitoring of individuals, in advance of any criminal activity, is a violation of human rights. This is not something that's asserted by me, this is something that's asserted by the United Nations. And basically any human rights, civil rights, international law lawyer out there, the Universal Declaration of Human Rights affirms this, the International Covenant on Civil and Political Rights affirms this, this is the standard of international behavior worldwide.

Some politicians want to take the easy way out, they want to justify intrusive programs, they want to justify pre-criminal investigation into everyone in society, regardless of their role. They say "well, it will help with terrorism." We have statistics now from people who have very advanced programs, such as the United States, where the intelligence gathering budget is 75 billion dollars a year, and they say "no, it doesn't, no it doesn't stop terrorism." It may provide an intelligence gathering benefit, but even if it does, the argument where people say "if you have nothing to hide, you have nothing to fear," "I don't care if they look at me because I have nothing to hide," that's no different than saying "I don't care about free speech because I have nothing to say."

This is a deeply illiberal concept and something that we have an obligation to resist. It is something that we have an obligation to push back against. Our rights are protected by governments, but they are not granted by governments. When governments go too far, the good citizen doesn't stand by and say that's OK, they gently remind their government--and they get more muscular as time goes on and the government gets more wayward--that they need to correct their course, that we need to remember that governments are here to improve the quality of human life, not to undermine it.

(Disclosure: I’m on the Freedom of the Press Foundation’s Technical Advisory Board where Snowden sits on the foundation's board of directors.)

Runa A. Sandvik is a privacy and security researcher, working at the intersection of technology, law and policy. She is a technical advisor to both the Freedom of the Press Foundation and the TrueCrypt Audit project, and has been involved with The Tor Project since 2009. She...